Google halts deletion of Street View Wi-Fi data

'Uncertainty' as govs mull probes

Google has stopped deleting the personal data its Street View cars collected from open Wi-Fi networks, following what the company called "some uncertainty" over the deletion process.

For three years, Street View cars collected Wi-Fi payload data across 30 different countries. Some countries have asked Google to delete the data - and in some cases, it has complied - while others have requested that the data be kept for the time being. One country, according to Google, asked that the data be retained after it had requested deletion.

Google's decision to retain all remaining data also comes after UK-based watchdog Privacy International said it would complain to the police if the company didn't stop deleting data by Monday - and after the EU requested a halt to the deletion.

"On the instructions of the Irish data protection commissioner, Google destroyed all Wi-Fi data relating to collection in Ireland," read an open letter from Privacy International to the European privacy commissioners earlier this week. "This action has the effect of removing any chance of further legal action of investigation. The action could be seen as collusion to destroy evidence."

Last Friday, Google announced that despite earlier assurances to the contrary, Street View had been collecting payloads from open Wi-Fi networks as its cars drove across the globe snapping digital photos. Previously, the company had said it was collecting only SSIDs that identified networks and MAC addresses that identified network hardware, but after German data protection authorities requested an audit of the program, Google says it discovered this was not the case.

In the blog post, Google called the payload data collection "a mistake," and the company said it would ask a third party to review its data collection software and to confirm that it deleted the data appropriately. It also said it would review its "procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future."

Today, in a statement sent to The Reg, Google said that it deleted data collected in Ireland, Austria, and Denmark, after data protection authorities in those countries requested its deletion. It also said that it's keeping data from Belgium, France, Italy, Spain, Germany, Switzerland, and the Czech Republic, after those countries requested it be kept. And it has now decided to keep all remaining data as well.

"Given that there is some uncertainty about deletion generally, for example one DPA [data protection authority] changed its instruction from delete to retain in the last 24 hours, we think it makes sense to keep the remaining country data while we work through these issues," the statement reads.

But the company was also under pressure from Privacy International and Brussels to halt deletion, and German authorities have already launched a preliminary criminal investigation into the data collection, as other countries consider such investigations, according to The FT.

In the US, lawmakers have called on the Federal Trade Commission to investigate the matter, and according to sources speaking with Reuters, both the FTC and the Department of Justice are considering the possibility. Meanwhile, two Americans have filed a class action suit against the company for intercepting their personal Wi-Fi data.

This past Monday, Google updated its original blog post on the matter to say that it had already deleted data at the request of Ireland. "On Friday May 14, the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland," the update read. "We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible."

The update also linked to a letter from the third-party - security outfit iSec Partners - that conformed the deletion. "Before my arrival, Google staff had consolidated the Wi-Fi packet captures onto four hard drives," read the letter, signed by iSec partner Alex Stamos. "This data was organized into folders corresponding to the countries of origin. Upon my acquisition of the drives from Google staff, I noted that the drives had been stored in a secure manner within a secure portion of the facility.

Stamos then said he copied all the data onto new hard drives with the exception of the Irish data, before destroying the original hard drives.

Google has confirmed with The Reg that about 600GB of data was collected in 30 countries. According to the company, its mobile team included payload-capturing code in the Street View cars' software despite the fact that the project leaders "did not want, and had no intention of using, payload data." ®